bugzilla-daemon at netfilter.org
2016-May-01 18:52 UTC
[Bug 1064] New: iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Bug ID: 1064
Summary: iptables-save fails silently in unprivileged lxc/lxd
container
Product: iptables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: iptables-save
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: phiphi at phiphi.ch
Originally reported to https://github.com/lxc/lxd/issues/1978
in an unprivileged lxc container, /proc/net/ip_tables_names is not readable.
iptables-save gives no output, but returns exitcode 0.
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
iptables-save command returns no output while iptables -nL works as expected
iptables-save is required to manage firewall with Puppet inside the containers,
as puppet relies on its output for deciding with which order it should add a
rule. Currently, the last rule drop all gets added at position 0 which will
instantly block all traffic to that container.
Is it a bug, that /proc/net/ip_tables_names is not readable by unprivileged
containers? Where should this be reported?
Full strace:
root at iptables-test:~# strace iptables-save
execve("/sbin/iptables-save", ["iptables-save"], [/* 11 vars
*/]) = 0
brk(NULL) = 0x1e65000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f8b2320e000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0
mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8b23208000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0
mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f8b22de4000
mprotect(0x7f8b22dea000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22fe9000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f8b22fe9000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0
mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f8b22bdd000
mprotect(0x7f8b22be3000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22de2000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f8b22de2000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f8b23207000
mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f8b229d0000
mprotect(0x7f8b229db000, 2097152, PROT_NONE) = 0
mmap(0x7f8b22bdb000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f8b22bdb000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f8b22607000
mprotect(0x7f8b227c7000, 2093056, PROT_NONE) = 0
mmap(0x7f8b229c6000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f8b229c6000
mmap(0x7f8b229cc000, 14848, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8b229cc000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f8b22403000
mprotect(0x7f8b22406000, 2093056, PROT_NONE) = 0
mmap(0x7f8b22605000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f8b22605000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f8b23206000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f8b23205000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f8b23204000
arch_prctl(ARCH_SET_FS, 0x7f8b23205700) = 0
mprotect(0x7f8b229c6000, 16384, PROT_READ) = 0
mprotect(0x7f8b22605000, 4096, PROT_READ) = 0
mprotect(0x7f8b22bdb000, 4096, PROT_READ) = 0
mprotect(0x7f8b22de2000, 4096, PROT_READ) = 0
mprotect(0x7f8b22fe9000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ) = 0
mprotect(0x7f8b23210000, 4096, PROT_READ) = 0
munmap(0x7f8b23208000, 20483) = 0
brk(NULL) = 0x1e65000
brk(0x1e86000) = 0x1e86000
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160501/241006ac/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-01 18:53 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Philipp Gassmann <phiphi at phiphi.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phiphi at phiphi.ch
Severity|enhancement |normal
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160501/ceb32f75/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-02 17:44 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
CC| |pablo at netfilter.org
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Kernel version? This should be fixed by:
commit f13f2aeed154da8e48f90b85e720f8ba39b1e881
Author: Philip Whineray <phil at firehol.org>
Date: Sun Nov 22 11:35:07 2015 +0000
netfilter: Set /proc/net entries owner to root in namespace
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160502/d49502fb/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-02 19:58 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064 --- Comment #2 from Philipp Gassmann <phiphi at phiphi.ch> --- Kernel version 4.4.0-21-generic #37-Ubuntu SMP on Ubuntu 16.04 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160502/277bf056/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 09:02 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064 --- Comment #3 from Pablo Neira Ayuso <pablo at netfilter.org> --- This fix is available since 4.5. Could you run this version to confirm this is already fixed? Will pass this to -stable so this propagate to other branches if so. Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/5f3b168d/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 10:39 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
--- Comment #4 from Philipp Gassmann <phiphi at phiphi.ch> ---
Thank you. I don't have experience testing kernels. I just use regular
Ubuntu.
Can you quickly explain what was changed that should fix the issue? how is it
fixed, should iptables-save now work within unprivileged lxc/lxd containers?
Steps to reproduce:
Install ubuntu 16.04 with btrfs filesystem.
Install lxd: apt install lxd
lxd init
create a new container: lxc launch ubuntu:xenial iptables-test
Enter container: lxc exec iptables-test -- bash
Add iptable rule: iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
List rules: iptables -nL
execute: iptables-save
No output is returned
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/a7d8f0e9/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 10:44 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064 --- Comment #5 from Philipp Gassmann <phiphi at phiphi.ch> --- If this fixes the issue, could this be backported to the ubuntu-lts kernel (4.4)? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/364c7c65/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 11:00 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064 --- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> --- Yes, this can be backported to vanilla 4.4 kernels. And I guess ubuntu-lts kernels rely on these that are available at kernel.org, but I'm not a ubuntu developer so I cannot confirm this. In kernel.org, we have -stable branches, so we can request stable submissions so fixes can be passed back on the Linux kernel tree. Going back to the question: it is that it is important to confirm that this is indeed fixing your issue. That's why I'm requesting that you take the time to give a try to 4.5. You can find more information on this commit here: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/cf00915d/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 19:07 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
--- Comment #7 from Philipp Gassmann <phiphi at phiphi.ch> ---
Tested it in Virtualbox on Ubuntu 16.04 with Kernel 4.5.2 from
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.5.2-wily
Unfortunately I get the same results.
Had to add configuration because of incomplete apparmor support in the mainline
kernel.
root at lxd1:~# lxc launch ubuntu:xenial iptables-test
ubuntulxd at lxd1:~$ lxc config set iptables-test raw.lxc
'lxc.aa_allow_incomplete
= 1'
ubuntulxd at lxd1:~$ lxc start iptables-test
ubuntulxd at lxd1:~$ lxc list
+---------------+---------+------+------+------------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------------+---------+------+------+------------+-----------+
| iptables-test | RUNNING | | | PERSISTENT | 0 |
+---------------+---------+------+------+------------+-----------+
ubuntulxd at lxd1:~$ lxc exec iptables-test -- bash
root at iptables-test:~# iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
root at iptables-test:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root at iptables-test:~# iptables-save
root at iptables-test:~# strace iptables-save
execve("/sbin/iptables-save", ["iptables-save"], [/* 12 vars
*/]) = 0
brk(NULL) = 0x1687000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f7d9358d000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20483, ...}) = 0
mmap(NULL, 20483, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7d93587000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\26\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27424, ...}) = 0
mmap(NULL, 2122496, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f7d93163000
mprotect(0x7f7d93169000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93368000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93368000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360\27\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=27456, ...}) = 0
mmap(NULL, 2122528, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f7d92f5c000
mprotect(0x7f7d92f62000, 2093056, PROT_NONE) = 0
mmap(0x7f7d93161000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f7d93161000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libxtables.so.11", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200/\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51872, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f7d93586000
mmap(NULL, 2148792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f7d92d4f000
mprotect(0x7f7d92d5a000, 2097152, PROT_NONE) = 0
mmap(0x7f7d92f5a000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f7d92f5a000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f7d92986000
mprotect(0x7f7d92b46000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92d45000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7f7d92d45000
mmap(0x7f7d92d4b000, 14848, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7d92d4b000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"...,
832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
0x7f7d92782000
mprotect(0x7f7d92785000, 2093056, PROT_NONE) = 0
mmap(0x7f7d92984000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f7d92984000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f7d93585000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f7d93584000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
0x7f7d93583000
arch_prctl(ARCH_SET_FS, 0x7f7d93584700) = 0
mprotect(0x7f7d92d45000, 16384, PROT_READ) = 0
mprotect(0x7f7d92984000, 4096, PROT_READ) = 0
mprotect(0x7f7d92f5a000, 4096, PROT_READ) = 0
mprotect(0x7f7d93161000, 4096, PROT_READ) = 0
mprotect(0x7f7d93368000, 4096, PROT_READ) = 0
mprotect(0x613000, 4096, PROT_READ) = 0
mprotect(0x7f7d9358f000, 4096, PROT_READ) = 0
munmap(0x7f7d93587000, 20483) = 0
brk(NULL) = 0x1687000
brk(0x16a8000) = 0x16a8000
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
root at iptables-test:~# uname -a
Linux iptables-test 4.5.2-040502-generic #201604200335 SMP Wed Apr 20 07:37:26
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/2f60a39e/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-03 19:22 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
--- Comment #8 from Philipp Gassmann <phiphi at phiphi.ch> ---
same with 4.6.0-rc2
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.6-rc6-wily/
open("/proc/net/ip_tables_names", O_RDONLY|O_CLOEXEC) = -1 EACCES
(Permission
denied)
exit_group(0) = ?
+++ exited with 0 +++
root at iptables-test2:~# uname -a
Linux iptables-test2 4.6.0-040600rc6-generic #201605012031 SMP Mon May 2
00:33:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Why does it exit sucessfully?
iptables-save should not exit 0 if anything fails.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160503/81760b96/attachment-0001.html>
bugzilla-daemon at netfilter.org
2016-May-04 06:08 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Phil Whineray <phil at firehol.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at firehol.org
--- Comment #9 from Phil Whineray <phil at firehol.org> ---
Regarding the kernel patch, it requires the following sequence of system calls,
so that a mapping for root is available before the network namespace is
created:
unshare(CLONE_NEWUSER);
/* Setup any mappings */
unshare(CLONE_NEWNET);
I expect lxc, since it predates the patch just unshares the network namespace
at the same time as the user namespace, which will not have the desired effect
in this case.
I don't know how lxc works; are unprivileged containers started direct from
the
command line or via a daemon? If the former, could someone try running it with
"unshare -r"?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160504/60bb6ba1/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-17 11:22 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064
Philipp Gassmann <phiphi at phiphi.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #10 from Philipp Gassmann <phiphi at phiphi.ch> ---
lxc now contains a fix in version 2.0.1 which was released yesterday.
https://github.com/lxc/lxc/pull/1014
https://linuxcontainers.org/lxc/news/#lxc-201-release-announcement-16th-of-may-2016> core: Unshare netns after setting the userns mappings (fixes ownership of
/proc/net)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160517/2a1b6ac9/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-23 14:35 UTC
[Bug 1064] iptables-save fails silently in unprivileged lxc/lxd container
https://bugzilla.netfilter.org/show_bug.cgi?id=1064 --- Comment #11 from Philipp Gassmann <phiphi at phiphi.ch> --- With lxc/lxd 2.0.1 and kernel 4.5 iptables-save runs successfully. https://github.com/lxc/lxd/issues/1978#issuecomment-220998013 Kernel-fix should be backported to Kernel 4.4 on Ubuntu xenial. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160523/fbd021b4/attachment.html>